< Back
Episode #
14

AI Supply Chain Attacks, Iranian PLC Exploits, and DPRK IT Workers

Show Notes

This week on Dragon News Bytes, Eli Woodward and Will Baxter break down a fast-paced week in cybersecurity. From the rapid operationalization of AI in supply chain attacks to formal joint advisories on Iranian actors targeting critical infrastructure, the threat landscape is escalating quickly. The team also dives deep into North Korean IT worker schemes generating millions, new zero-days hitting edge devices, and the takedown of an APT 28 router botnet.

Topics & References

Part 1: The NPM Poisoning Epidemic & The AI Accelerant

  • Axios Backdoor: The team discusses ongoing NPM package exploitation, specifically highlighting the Axios package. Axios sees over 100 million weekly downloads, and at least two backdoored versions have been live recently. Unit 42 published an updated threat brief confirming the attack hit over 10 sectors across five geographic regions.
  • The AI Factor: Will Baxter attributes this spike in supply chain attacks to the operationalization of AI. AI makes reviewing codebases for vulnerable packages incredibly easy for attackers.
  • LLMs as Exploit Developers: Eli Woodward recalls an NSA prediction that LLMs would become great exploit code developers and malware analysis engines. The rapid pace of this AI evolution is forcing defensive teams to adapt quickly without the benefit of increased headcounts.

Part 2: Critical Infrastructure Under Siege by Iranian Actors

  • Joint Advisory on PLC Exploitation: A joint advisory from the FBI, CISA, NSA, EPA, DOE, and Cyber Command formally attributes ongoing PLC exploitation to the Cyber Avengers. This group is the IRGC Cyber Electronic Command, also tracked as Shahid Kavev Group, Hydro Kitten, Storm 084, and UNK5691.
  • Targeted Sectors: The actors are escalating targeting against Rockwell Automation and Allen Bradley PLCs in wastewater, energy, and government facilities.
  • Massive Exposure: The advisory highlights traffic on ports 44818, 2222, 102, and 502. Team Cymru’s platform identified an alarming 49,000 devices exposed on the internet with port 44818 open.

Part 3: Edge Devices, Zero-Days, and CISA Guidance

  • FortiClient EMS Zero-Day: CISA published information on a FortiClient EMS zero-day, with approximately 2,000 exposed instances currently on the internet.
  • Edge Device Safety: CISA also released new edge device safety guidance. The hosts emphasize that patching edge devices and having good identity management is the bare minimum expectation for organizations.

Part 4: Unmasking the DPRK IT Worker Ecosystem

  • The "Lucky Guys" Site: Independent researcher ZachXBT uncovered "luckyguys.site", a platform used by DPRK IT workers to send money back to the regime. These workers are easily making $1 million per month.
  • Team Cymru Platform Analysis: Eli Woodward used the Team Cymru platform to analyze the infrastructure, finding a massive amount of Astral VPN usage and traffic from Russian ASNs (ASI and Trans Telecom).
  • Operational Security Failures: The workers used the password "123456" for their platform, exposing Slack chat identities and conversations via an investigative site.

Part 5: APT 28 Botnet Takedown

  • Router Hijacking: The US DOJ, FBI, and NCSC helped take down a network of TP-Link and MikroTik routers compromised by APT 28 (also known as Unit 26165 or Storm 2754).
  • Botnet Scale: The botnet leveraged known vulnerabilities in these small office/home office (SOHO) devices and peaked at 18,000 unique IPs in December 2025.
Events & Community

Connect with us:

Follow us on LinkedIn: https://www.linkedin.com/company/team-cymru

Subscribe to the Dragon News Bytes feed: https://www.team-cymru.com/dnb

Disclaimer: The views expressed in this podcast are those of the hosts and do not necessarily reflect the official policy or position of our employers.